ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] AD review comments for draft-ietf-ipsecme-tra

Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility

From: Grewal, Ken <ken.grewal_at_nospam>
Date: Fri Sep 18 2009 - 23:06:17 GMT
To: "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>, "ipsec@ietf.org" <ipsec@ietf.org>

Hi Pasi,
Many thanks for the great feedback. I will incorporate all these items as part of the WESP update during the next virtual interim meeting on Sept 22. Furthermore, I have opened multiple tickets to ensure these are tracked and resolved.

Some comments inline...and others will result from the discussion during the interim meeting.

- Ken  

>-----Original Message-----
>From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
>Of Pasi.Eronen@nokia.com
>Sent: Thursday, September 17, 2009 6:05 AM
>To: ipsec@ietf.org
>Subject: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-
>I've now done my AD review for draft-ietf-ipsecme-traffic-visibility-08.
>I have two substantive comments, and a bunch of minor
>The substantive comments first:
>- A question: did the WG discuss the pros and cons of integrity
>protecting the WESP header? (This does make WESP more complex to
>implement, and currently the WESP header does not contain any data
>that would benefit from integrity protection in any way.)
[Ken] This change was the result of a discussion on threats posed by 'malware', which could modify the WESP headers to obfuscate the payload from inspection by intermediate nodes such as IDS/IPS systems. The issue (ticket #104) was raised and closed some time back after lengthy discussions on the topic. http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104

>- IPv6 requires extension headers to be aligned on 8-octet boundaries,
>and I believe this requirement applies to ESP, too (see e.g. RFC 4303
>Section 2.3, 2nd paragraph). All current ESP specs (all encryption
>algorithms, UDP encapsulation, etc.) meet the 8-octet alignment
>requirement -- but adding a new four-octet header there obviously
>breaks it.

[Ken] Great point! Yes, this will need to be addressed and we do need to provide an extension of the header for alignment purposes in IPv6 usages. I have opened a new ticket (#109) to track this.

>Some minor clarifications/editorial nits:
>- The text currently uses "using ESP-NULL [RFC2410]" and "unencrypted"
>as synonyms. This was accurate before RFC4543, but is not any more.
>This needs some clarifying text somewhere (perhaps Section 1).
>- Section 1 needs a sentence or two motivating the existence of the
>"E" bit -- currently it comes as a surprise to the reader later.

[Ken] I have reopened the related ticket #84 and we will generate / vet additional text to elaborate on the motivation.

[Ken] I have captured the items below in a single new ticket (#110) as most are minor editorial changes.

>- Section 2/2.1: In Figures 1, 2, and 3, the bit numbers should be
>shifted one character to the right.

[Ken] OK

>- Section 2: In some parts of the text, the last 8 bits of the WESP
>header are called "Flags"; in other parts, the last 5 bits are called
>"Flags". I'd suggest changing e.g. Figure 2 so that last 5 bits are
>called "Rsvd" or something.

[Ken] Agreed, using Rsvd is better than Flags.
>- Section 2: "The bits are defined LSB first, so bit 0 would be the
>least significant bit of the flags octet." This doesn't match the bit
>numbering in Figure 2 (where bit 0 is the most significant bit).
>However, the bit numbers are not really used anywhere, so I would just
>suggest deleting this sentence.

[Ken] Agree. We already have new text in the next rev of the draft using MSB, as Tero had separately raised this point.

>- Section 2: It would be helpful if the text explicitly said that
>HdrLen values less than 12 are invalid (and probably HdrLen values
>that are not multiple of 4 are invalid, and multiple of 8 for IPv6

[Ken] OK.

>- Section 2: the text about TrailerLen is a bit unclearly written --
>the offset from the end of the packet to the last byte of the payload
>would be a negative number. I'd suggest phrasing this something like
>the "The number of bytes following the payload data in the packet, in
>octets: i.e. the total length of TFC Padding (normally not present for
>unencrypted packets), ESP Trailer (Padding, Pad Length, Next Header),
>and ESP ICV."

[Ken] Will discuss the scope of this, based on separate comment from Tero.

>- Section 2: "the packet must be dropped" -> "the packet MUST be
>- The figures in 2.2.1 and 2.2.2 are very confusing, since they
>suggest WESP could be applied as a separate step after ESP processing
>(that was possible in some earlier versions of the draft, but not any
>more since ICV covers the WESP header). Since they don't really
>present much new compared to the figures in RFC 4303 Section
>3.1.1/3.1.2, perhaps they could be omitted? Or if we want to keep
>them, they probably should show the packet before applying ESP?

[Ken] Someone (do not recall who) had asked for these figures. But, I agree that it is misleading. So, propose we either remove these figures or change the 'before' diagrams to raw, instead of ESP.

>- Section 3: s/IPSec/IPsec/
>- Section 4: this section is missing the allocation of SPI value 2
>to indicate WESP from the "SPI Values" registry.
>- Section 4 should say that for the WESP Version Number, the
>unassigned values are 1, 2, and 3.
>- Section 6: [RFC4306], [RFC3948], and [RFC5226] should be normative
>references, not informative.

[Ken] OK.
>Best regards,
>IPsec mailing list

IPsec mailing list